Cyber Incident Victim: Lawrence General Hospital
Date:
Feb 2023
Location:
United States of America
Summary
A cybersecurity incident at Lawrence General Hospital compromised protected health information belonging to over 70,000 patients following unauthorized access to confidential data. The breach exposed sensitive details including medical histories, demographic records, insurance information, and other identifiers under HIPAA protections. As a nonprofit hospital serving Massachusetts and southern New Hampshire communities, the organization notified affected individuals and reported the incident to federal regulators due to the scale of exposed health records. The event highlighted risks associated with healthcare data breaches such as identity theft and fraud without affecting the facility's operational status as a Level III trauma center.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 23, 2023, Lawrence General Hospital reported a data breach to the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) following a cybersecurity incident that exposed protected health information. The unauthorized access event compromised sensitive patient data entrusted to the hospital, prompting formal notification to federal regulators as required under HIPAA for breaches affecting more than 500 individuals. According to the HHS-OCR filing, the breach impacted 76,371 patients whose confidential medical and personal details were accessed by an unauthorized party. The hospital initiated direct notification procedures on the same day as the regulatory filing, dispatching data breach letters to all affected individuals. While the hospital's public communications remained limited—with no website notice or press release describing breach specifics by March 10, 2023—the HHS-OCR disclosure confirmed the incident involved protected health information (PHI), which under HIPAA includes any medical data paired with personal identifiers such as names, addresses, Social Security numbers, or medical record numbers. The scale of affected individuals placed this breach among significant healthcare data incidents reported in early 2023, with potential consequences including identity theft and financial fraud risks for impacted patients due to the sensitive nature of exposed PHI.
The compromised data encompassed multiple categories of PHI collected during patient care, ranging from medical histories and laboratory results to demographic and insurance information. Founded in 1875 and operating as a nonprofit institution in Lawrence, Massachusetts, the 189-bed Level III trauma center serves communities across the Merrimack Valley and southern New Hampshire, handling emergency care and other medical services for a substantial regional population. With nearly 2,000 employees and annual revenue approximating $281 million, the hospital’s operational scale amplified the breach's social and administrative impacts. Regulatory filings did not specify the technical cause of the data exposure, attacker methodology, or containment measures implemented post-discovery, nor did public records detail whether the breach stemmed from internal system vulnerabilities or compromised third-party vendors. The hospital restricted its verifiable response actions to mandatory HHS-OCR reporting and individual patient notifications, with no supplementary mitigation details or forensic findings disclosed through official channels in the immediate weeks following the breach disclosure.